Category: Bachaav

null Bangalore Bachaav Session | OWASP ESAPI Java Security | 12th July 2014

A completely hands on session on integrating OWASP ESAPI to a sample web application

For further details and Registration/RSVP please visit the following URL:

null Bangalore Bachaav Session | OWASP ESAPI Java Security | 12th July 2014

ChampionSatish Profile |

The following topics will be covered:

  • Introduction
  • Three faces of web security
  • Eclipse basics
  • Installing/configuring Tomcat application server
  • Plug-ing in Tomcat application server to Eclipse
  • Developing sample web application in JSP (login page, registration page)
  • Integrating ESAPI into the web application
  • Using “ESAPI Encoding api ” in the code and testing
  • Using “ESAPI Data validation api” in the code and testing
  • Testing XSS with and without ESAPI
  • Testing SQL Injection with and without ESAPI
  • Testing Log forging with and without ESAPI

Information and Instructions

    1. This is a completely free but invite only event.
    2. You require prior invitation to be able to attend this event.
    3. To get an invite, these are roughly the steps you need to follow
      • Register on the swachalit portal
      • Register for the event on the portal
      • If required fill more details on a Google Form. You need to submit both the Google Form and the registration form to be eligible for an invitation.
    4. Invites to the event are at the discretion of the Bachaav Champion.
    5. The Bachaav Champion wants to cover a certain training in a fixed time. This means they choose which of the applicant are likely to gain the most and derive most value from the event.
    6. Registrations are not transferable.
    7. If you have been selected but are unable to attend, please inform us.
    8. Your seat would be allotted to someone from the waiting list.
    9. Walk-in participants are not allowed to attend any invite only session

More information about null Bachaav Hands-On Workshops

[null Bangalore bachaav] | Code Review | 5th July 2014

Hi All,

Announcing null Bachaav session Code Review“. Like all null Bangalore Bachaav sessions, this is free but registration is compulsory. A group of participants will be selected based on the registrations since Bachaav is invite only and with prior registration and approval of the Bachaav champion. Here are the details:

Bachaav Title: Code Review

Bachaav Champion: Sandesh Anand

When: 5th July 2014, 10 AM – 6 PM

Registration Link

Bachaav Description: This will be a completely hands on session on Code ReviewThe following topics will be covered:

  • Introduction to code review
  • Basics of J2EE
  • Setting up the “test” application in Eclipse
  • Wallkthrough installed Eclipse plugins
  • Manual verification of security controls – Authentication, Authorization, Input handling, Encryption etc.
  • Scripting to help manual review
  • Running a scan using open source tools (e.g.: Findbugs)
  • Primer to data flow analysis – How this effects code review
  • Fixing issues: This includes:
    1. How to provide recommendation advice
    2. How to validate fixes
    3. Applying a couple of fixes from the code reviewed
Note: Please make sure all the pre-requisites are up and running before the session starts. If you are facing any issues with setup, please try to come to the venue 30 mins before the session starts and get them fixed.
  • 6 months-1year minimum coding experience (any OOP will do, preferably J2EE)
  • Basic Application Security knowledge (OWASP Top 10 etc)
  • Basic understanding of Cryptography (e.g.: difference between hashing and encryption)
  • Hardware requirements: Any operating system which can install Eclipse
  • Software requirements: 1. Eclipse IDE 2. Latest version of JDK
Registrations are not transferable. If you have been selected but are unable to attend, please inform the organizers. Your seat would be allotted to someone from the waiting list. Walk-in participants will not be allowed to attend this session.
Short Bio:

null Bachaav Workshop|Secure Coding in JAVA |Pune| 9th March 2014 – SUNDAY

[The bachaav session has beeen postponed to 9th March 2014 – Sunday]

The other details remain the same …… Sorry for the inconvinience caused

We are glad to announce Pune’s very first “Bachaav” session. A Bachaav (in hindi for ‘ To secure’) session is where we concentrate on defending assets in this case Java based applications.

We would recommend Java developers to attend this session and others are welcome too:)
[Please Note : This is an Invite-only session. We would select 30 registrants based on the forms they fill. The registration will close on 5th March – Wednesday  (IST 21:59) and the selected registrants would receive a confirmation thereafter. ]
Below are the details for the Bachaav session.

Bachav Title : Secure Coding with Java.
Bachav Champion :  Abhi Nigam
Short Bio : Abhi is a Software Developer working with Cybage Software Pvt. Ltd. . He is linked with BFSI domain where secure coding is a mandatory pre-requisite. He is currently working on a project which provides Commercial lending feature to US Bank and JP Morgan Chase. He is currently associated with two open source projects also, which he is developing with his friends.

When : 9th March 2014

Time : 11 am –  4 pm.
Registration:   (Only 30 seats so please hurry)
Pre-Requisites :- Must have at-least a little understanding of Java(or Object Oriented Programming). Please bring your own laptop with a pre-installation of JRE and JDK1.7 .
Duration of session :- 4 hrs (approx.)
Description : The session will deal with the secure practices of coding in JAVA. It will cover the various very basic concepts about secure coding (language independent) and then will explore the topics which are specific to JAVA.
These includes
1.Object oriented secure practices
2. Thread API
3. Thread Pools
4. Serialization
5. Platform Security
6. Run Time Environment
In a nutshell: We will be looking at the code samples and we will be discussing on how we can secure that piece of code. Apart from that there will be some general guidelines on how we can improve the quality of code that we write.
What to expect :– You will have a better understanding of coding in JAVA which will help you to write a secure and optimized code. It will be an interactive session and I hope to learn from you as much as I deliver to you. We will be looking at code samples and very minimum code will be written by you in this session
What NOT to expect :This session won’t teach you the basics of JAVA.
Location: The selected participants would be informed about the location.


null Bachaav | Client-Side JavaScript Security | 21st December 2013

Client-Side Javascript Security

Bachaav sessions are free to attend but only with prior invitation. Participants will be selected based on how they fill the registration form. All applications are evaluated by the Bachaav Champion to select those who the Champion thinks will get the most from the session. Only selected applicants will be emailed further details. Even though we would like to get everyone to attend, sometimes the topic at hand requires extensive knowledge of the subject and this means that the Champion may not feel confident to have an applicant in the session.

Click here to register for this workshop

Session Introduction

This session will cover a small part of JavaScript security, which is of prime importance nowadays. Today, JavaScript is the only language which runs on every machine by default, owing to the fact that it is the scripting language of the browsers. Due to the not so awesome nature of earlier ECMAScript versions and a very quirky implementation of the Document Object Model (DOM) in the browser, dealing with JavaScript code can become very tricky at times.

If you have ever wondered about the security implications which lies beneath these quirky behaviors, this session is totally for you. Talking about client-side browser security for a whole day would be cool, but how about we make it more relevant to our day to day web applications?

The session would concentrate on

  • Fixing browser based injection attacks like DOM XSS
  • Sandboxing the DOM properties
  • Implications of polluting the global namespace
  • Thought process of bypassing an XSS filters and then fixing them

Since defending requires a very good understanding of what the attack surface is like, we make sure that the attacking part is completely covered as a primer, before defending something. You don’t need to be a Mutation XSS expert to attend this. As long you know what Javascript is and have written basic web applications, you will find this useful and interesting.


  • Basic knowledge of JavaScript.
  • Written a few basic web applications

Bachaav Champion | @skeptic_fx

Nafeez Ahamed works as a security engineer solving exciting and new problems in the security space. His areas of expertise include client-side security and network security. Most of his time is spent, trying to find new ways to defend things in the browser. He feels that defending anything is much harder than attacking, especially if you know what the sophisticated attackers are up to.

For more information about Bachaav Workshops you can visit here.

null Bachaav Workshop | Secure your WordPress | Bangalore | 30th November 2013

Hello all,

Introducing null “Bachaav” workshops.

With lot of “humla”s on-going and also in the line, we are pleased to start the new series in the defense category – “Bachaav”. “Bachaav” sessions will be purely oriented towards defending techniques against online attacks on different platforms, systems, etc. Mitigation against various specific attacks would be covered in this series.

On the same lines of humla sessions, “Bachaav” sessions would be free but with compulsory registrations. A group of participants will be selected based on the registrations since “Bachaav” is an invite only and with prior registration and approval of the “Bachaav” champion. Here are the details for our first “Bachaav” session.

Bachaav Title : Secure your WordPress
Bachaav Champion : Anant Shrivastava
When : 30th November 2013, 10 AM to 06 PM


Intro :
Wordpress is one of the fastest growing, simple to configure CMS / blogging platform. However as with any popular project it comes with its own security cautions and configurational quirks.
This session will focus on “SECURE” setup and configuration of the WordPress platform with varied range of setup ranging from shared hosting to dedicated hosting provider.
Topics to be covered.
Wordpress Installation
Varied platform (Shared, dedicated, cloud/vps)
limitations / benefits of each setup
Hardening of WordPress Setup.
Server Configuration
Wordpress configuration
Tips of Caution.

Pre-requisite knowledge:
Linux command-line and knowledge of any dynamic scripting language preferably php.

Short Bio:
Anant Shrivastava is Security Consultant, He started his career as a Linux Administrator. He holds a GWAPT, CEH, CSTP and RHCE. He has been speaker at various conferences like Nullcon, c0c0n, Clubhack, g0s. He maintains a website at

For more information about Bachaav Workshops you can visit here.

Announcing null Bachaav – Defensive Security workshops

Bachaav (meaning defence in Hindi) is a completely hands-on workshop with the clear focus on learning the tools, techniques and approaches of defensive security using simulated servers and networks.

Bachaav is different from a normal null meet in its focus and duration. The focus is on learning specific tools and techniques and the duration is about 5-6 hours of hands-on work.

null Bachaav Basics

  • null Bachaav events are invite only

Keeping them exclusive allows for keeping the logistics simple, the course content focussed and the interactions very engaging.

  • null Bachaav events are completely hands-on

The idea is to learn defensive security, therefore everyone is expected to come prepared and do the hands-on in a group.

  • null Bachaav events require you to get your laptop

There is no pairing up while doing hands-on. The point is to ensure that you actually get the practice while learning.

  • null Bachaav events are about 5-6 hours

This is an ideal time to get all the people up to speed and comfortable. This amount of time allows for everyone to become comfortable with the topic at hand.

  • A null Bachaav event is led by 1-2 champions in that particular topic

One or two hackers who have the experience and skills are assigned as Bachav Champions for a particular topic. They are completely responsible for the course content and ensuring that all the group members learn the concepts and the attacks.

null Bachaav MO

  1. Applications to take part will be invited from null members.
  2. The champions will select the ten best applications for the topic. This is based on the profile of the applicants and the champion’s discretion.
  3. Once selected the hackers will be informed and they need to come to the workshop with the required things like laptop etc.

null Bachaav Topics

The following are the some of the proposed Bachaav workshops. These may change based on availability of Bachaav Champions

  • Securing Wordpres
  • Securing a PHP MySQL based application and server
  • 802.1x Authentication
  • Getting beginners ready for Bachaav

New workshops will be announced on the null mailing list.